Change the /user/login path?

I'm currently working on a site for a client who's a bit overly paranoid. When he learned that all drupal sites have a login page at /user/login he asked me to change that path to something else so he "won't get hacked".

I can't seem to figure out how to do it! Anyone have an idea? I've checked site info and other parts of the admin menu, my settings.php, no luck.

Comments

One way to do this is to write a module. You'll have to override the menu path for the user/login path and set it as access denied using hook_menu_alter(). Then you'll need to define a hook_menu() to define a new menu path to your secret login page.

For fun, I wrote a small module to do this for you. Just create the .info file and it should be ready to install. This module will give you a login screen at the path: /supersecretloginplace.

Let me know how it works, or if you find a different way to handle this.

Tom - this is awesome and works perfectly for me. Thanks! However, what if, when this module is active, I wanted anyone who goes to /user to get a 404 page instead of access denied? So it looked like the whole admin/login system didn't exist? Of course, if you were logged in, then /user should work as normal. Any thoughts?

I must be doing something wrong. I created a secretlogin.info file and copied the code you provided into a secretlogin.module file, placed them both in a folder (named secretlogin) and enabled it, but I just get an error at the top of the screen spitting out the code pasted in the module file.

If you copied the code verbatim into a file called secretlogin.module, then you will need to find and replace the function signatures to have secretlogin instead of moveloginpage at the beginning of each function name. For example change:

function moveloginpage_menu()

to

function secretlogin_menu()

The hooks in the module are invoked by calling <modulename>_<hookname>. You'll need to change every function in the module so that each function name starts with the module name.

Yeah, the user path is hardcoded into the menu system. If you really want this to work with your secret URL, you would have to hack the menu.inc file in the includes directory (includes/menu.inc). Look for the the line in the code below that says:
/****** HACK THIS LINE BELOW ******/

It is generally frowned upon to hack core, but sometimes you have no choice. In this case you have no other choice but to hack core because the URL is hardcoded in. In this scenario, I would just create a patch file of the hack, so as you upgrade Drupal, you can just reapply the patch to a clean file.

It's ok to hack core when there is no other way, but you need to keep track of your patches against a pristine core.

Core could actually handle this better if the user module actually registered the user login path, so that other modules can overwrite it, like I have done with this pseudo module.

Taking the lead from this I was trying to remove the registration and password pages as well but getting nowhere. Here is the code I have so far.
Going to /user/password gets me 'page not found' as expected however going to /sspassword gets me the page but with a warning instead of the form:

"warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'user_pass' was given in /usr/share/users/simha/includes/form.inc on line 366."

/user/register, however, still continues to work. As a matter of fact, i put in a var_dump and i don't see it on the webpage which means it is not even going to the function. And then /ssregister gives a page not found. I have even tried to modify the moveregisterpage_user_page function unconditionally to use drupal_goto() to send to home page but looks like the function is not getting called at all.

BTW, I also installed the 'util' module to assign a weight to the new module so that it gets loaded the last (just in case it was not).

hi anyone know if there is a module like this for Drupal 7 ? i too would like to change the /user login page as there are alot of bots preying on drupal sites since they all have the same login page on /user

The spamming of Drupal sites and the creation of fraudulent accounts (mainly by bots) is a serious issue. It costs site owners time (and therefore money).

Within 24 hours of opening registration on one of our (20 odd) sites a couple of days ago, we had more than 100 fraudulent accounts.

We stopped them in their tracks by two simple methods: first (and most obviously) captcha (we used the maths version) and by putting a front-page link that said it went to login/registration but in fact went to an intervening page with two links on it - one to a fictitious domain name (and so a dead end) and, later in the page) one to the correct userpage.

But neither of those methods block the bots that know which page to go to. And there are millions of site-owners who, like us, have this problem.

The code above seems to do exactly what we would need (but it's a bit scary from a non-techie's perspective) and I wonder if there might be a way to deal with this at the installation stage.

Would it be possible for the installation package to ask, before installation, for a page name for the page that is currently called "user" ?

I wonder if the easiest way (for those that know what they are doing - which isn't me) for CORE to include the user page as a variable and for that variable to be defined on set up. In that way, CORE would not have to be hacked and the page name would be stored in the data tables rather than hard coded (so no need to hack each update as it is applied). I don't think that would cause significant server load / system slowdown even on large sites.

If I'm right, this would involve a small re-write of a small part of CORE and the installation package (to create a new entry on the tables) and somewhere in the UI for the installer (and, perhaps for later changes, admin) to input the chosen name.

And it takes all the techie stuff away from non-techie users which is why we, amongst millions, chose Drupal.

Hi all, I just want the user, once logged in, to go to home page instead of the user page. I am using logontoboggin and can't figure it out. The override there does not seem to work for new users, and existing users I have no clue. Please help, as I am stuck in Nepal and there are no drupal techies here :) cheers!

I copied this approach pretty much verbatimin to do change the locations of my login and registration pages and it worked great. I was getting a user logging in and creating an account about once every 5 to 10 minutes, sometimes more often. It stopped. Completely. It's only been a day now, but that's progress. I still have links to the registration and login page from every page on my site too. This combined with LoginToboggan's ability to kill off a user account that doesn't confirm within X time frame is making me feel much better.

Just a fair warning to anyone using the method outlined by Tom Friedhof: this appears to not update the site:login-url token used in emails, etc, so it's possible you will end up with a situation in which your users are getting emails asking them to login at a url that either throws a 404 or 403 depending upon your implementation.